HackTool - EDRSilencer Execution
Detects the execution of EDRSilencer, a tool that leverages Windows Filtering Platform (WFP) to block Endpoint Detection and Response (EDR) agents from reporting security events to the server based on PE metadata information.
Sigma rule (View on GitHub)
1title: HackTool - EDRSilencer Execution
2id: eb2d07d4-49cb-4523-801a-da002df36602
3status: test
4description: |
5 Detects the execution of EDRSilencer, a tool that leverages Windows Filtering Platform (WFP) to block Endpoint Detection and Response (EDR) agents from reporting security events to the server based on PE metadata information.
6references:
7 - https://github.com/netero1010/EDRSilencer
8author: '@gott_cyber'
9date: 2024-01-02
10tags:
11 - attack.defense-impairment
12 - attack.t1685
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection:
18 - Image|endswith: '\EDRSilencer.exe'
19 - OriginalFileName: 'EDRSilencer.exe'
20 - Description|contains: 'EDRSilencer'
21 condition: selection
22falsepositives:
23 - Unlikely
24level: high
References
Related rules
- AMSI Bypass Pattern Assembly GetType
- AMSI Disabled via Registry Modification
- ASLR Disabled Via Sysctl or Direct Syscall - Linux
- AWS GuardDuty Detector Deleted Or Updated
- AWS GuardDuty Important Change